Dark web & threat intelligence for AI agents.

HIBP, ThreatFox, ransomware tracking, Tor .onion access, blockchain intel, exploit search, stealer logs, malware analysis — unified into a single MCP server.
Your AI agent gets full-spectrum dark web intelligence on demand, not 16 browser tabs and manual correlation.

The Problem • How It's Different • Quick Start • What The AI Can Do • Tools (66) • Data Sources • Architecture • Changelog • Contributing

darknet-mcp-server demo

The Problem

Dark web intelligence is the missing layer in every security investigation. Breach databases, ransomware trackers, Tor hidden services, malware sandboxes, stealer logs, blockchain forensics, exploit databases — the data you need is scattered across dozens of platforms, each with its own API, its own auth, its own rate limits, its own output format. Today you check HIBP in one tab, ThreatFox in another, browse ransomware leak sites through Tor, pull up MalwareBazaar for a hash, check blockchain transactions on a block explorer, and then spend an hour manually piecing it all together.

Traditional dark web intel workflow:
  check breach exposure           ->  HIBP web interface (paid API)
  search leaked credentials       ->  IntelligenceX web interface
  track ransomware groups         ->  ransomware.live + ransomlook.io (2 separate UIs)
  access .onion hidden services   ->  Tor Browser manually
  analyze malware samples         ->  Hybrid Analysis + MalwareBazaar (2 more UIs)
  check IP abuse history          ->  AbuseIPDB + GreyNoise (2 more UIs)
  trace cryptocurrency            ->  blockchain.info + ChainAbuse
  search for exploits             ->  Vulners web interface
  check phishing URLs             ->  PhishTank web interface
  correlate everything            ->  copy-paste into a report
  ────────────────────────────────
  Total: 60+ minutes per investigation, most of it switching contexts

darknet-mcp-server gives your AI agent 66 tools across 16 data sources via the Model Context Protocol. The agent queries all sources in parallel, correlates data across the surface and dark web, identifies threats, and presents a unified intelligence picture — in a single conversation.

With darknet-mcp-server:
  You: "Investigate the breach exposure and threat landscape for target.com"

  Agent: -> HIBP: 3 known breaches (Adobe 2013, LinkedIn 2021, Collection #1)
         -> ThreatFox: 2 IOCs associated with domain (C2 callback, phishing)
         -> URLhaus: 1 malicious URL hosted on subdomain
         -> Ransomware: No victim listings found (good)
         -> Stealer logs: 47 compromised employee credentials found
         -> OTX: 5 threat pulses referencing the domain
         -> AbuseIPDB: Primary IP has 12 abuse reports (brute force)
         -> "target.com has been in 3 data breaches exposing 2.1M records.
            47 employee credentials found in stealer logs — immediate
            password reset recommended. 2 active ThreatFox IOCs suggest
            ongoing targeting. No ransomware listings, but the abuse
            reports on the primary IP warrant investigation."

How It's Different

Existing tools give you raw data one source at a time. darknet-mcp-server gives your AI agent the ability to reason across surface web and dark web intelligence simultaneously.

	Traditional Approach	darknet-mcp-server
Interface	16 different web UIs, CLIs, and APIs	MCP — AI agent calls tools conversationally
Data sources	One platform at a time	16 sources queried in parallel
Breach intel	HIBP web UI for breaches, IntelligenceX for leaks	Agent combines HIBP breaches + pastes + IntelligenceX + stealer logs
Dark web access	Manual Tor Browser, copy-paste from .onion sites	Agent fetches, scrapes, and searches .onion sites via SOCKS5 proxy
Malware analysis	Hybrid Analysis + MalwareBazaar + ThreatFox separately	Agent cross-references: "This hash from ThreatFox was also detonated in Hybrid Analysis with network IOCs"
Blockchain	Block explorer + ChainAbuse separately	Agent traces BTC transactions and checks abuse reports in one step
API keys	Required for almost everything	Many tools work free; API keys unlock premium sources
Setup	Install each tool, manage each config, run Tor Browser	`npx darknet-mcp-server` — one command, zero config

Quick Start

Option 1: npx (no install)

npx darknet-mcp-server

Free tools work immediately. No API keys required for ransomware tracking, breach listings, GreyNoise, blockchain, OTX, and more.

Option 2: Clone

git clone https://github.com/badchars/darknet-mcp-server.git
cd darknet-mcp-server
bun install

Environment variables (optional)

# Breach & credential intelligence
export HIBP_API_KEY=your-key           # Enables breach account search & paste search
export INTELX_API_KEY=your-key         # Enables 4 IntelligenceX tools

# Threat intelligence
export OTX_API_KEY=your-key            # Increases AlienVault OTX rate limits
export ABUSEIPDB_API_KEY=your-key      # Enables 4 AbuseIPDB tools
export ABUSECH_AUTH_KEY=your-key       # Higher rate limits for abuse.ch suite
export PULSEDIVE_API_KEY=your-key      # Higher rate limits for Pulsedive

# Stealer logs & credentials
export HUDSONROCK_API_KEY=your-key     # Enables 3 Hudson Rock stealer log tools

# Exploit & malware analysis
export VULNERS_API_KEY=your-key        # Enables Vulners search & exploit tools
export HYBRID_API_KEY=your-key         # Enables 3 Hybrid Analysis malware tools

# Phishing
export PHISHTANK_API_KEY=your-key      # Higher rate limits for PhishTank

# Tor SOCKS5 proxy (for .onion access)
export TOR_SOCKS_HOST=127.0.0.1       # Default: 127.0.0.1
export TOR_SOCKS_PORT=9050            # Default: 9050

All API keys are optional. Without them, you still get ransomware tracking, breach listings, GreyNoise, blockchain intelligence, OTX, Tor exit node checks, onion search, CIRCL onion lookup, and more.

Connect to your AI agent

Claude Code

# With npx
claude mcp add darknet-mcp-server -- npx darknet-mcp-server

# With local clone
claude mcp add darknet-mcp-server -- bun run /path/to/darknet-mcp-server/src/index.ts

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "darknet": {
      "command": "npx",
      "args": ["-y", "darknet-mcp-server"],
      "env": {
        "HIBP_API_KEY": "optional",
        "INTELX_API_KEY": "optional",
        "ABUSEIPDB_API_KEY": "optional",
        "HUDSONROCK_API_KEY": "optional",
        "HYBRID_API_KEY": "optional",
        "VULNERS_API_KEY": "optional"
      }
    }
  }
}

Cursor / Windsurf / other MCP clients

Same JSON config format. Point the command to npx darknet-mcp-server or your local installation path.

Tor setup (optional, for .onion access)

The 7 Tor tools (tor_fetch_onion, tor_scrape_onion, etc.) require a running Tor SOCKS5 proxy.

# macOS
brew install tor && brew services start tor

# Linux
sudo apt install tor && sudo systemctl start tor

# Docker
docker run -d -p 9050:9050 dperson/torproxy

# Verify connectivity
npx darknet-mcp-server --check-tor

Start querying

You: "Check if example.com has been in any data breaches and look for stealer logs"

That's it. The agent handles breach lookups, credential searches, threat correlation, and more automatically.

What The AI Can Do

Breach Investigation

You: "Check if example.com has been in any data breaches"

Agent: -> breachList {domain: "example.com"}
       -> breachSearch {account: "[email protected]"}
       -> stealer_domain {domain: "example.com"}
       -> intelx_search {term: "example.com"}
       -> "example.com appears in 5 known breaches:
          - ExampleDB 2023: 4.2M records (emails, passwords, IPs)
          - Collection #1: credential stuffing list
          - Combolist 2024: 890K email:password pairs
          Stealer logs: 23 compromised machines with saved credentials
          for example.com found in Hudson Rock database.
          IntelligenceX: 47 results across paste sites and dark web."

Ransomware Tracking

You: "What ransomware groups are targeting healthcare?"

Agent: -> ransomwareBySector {sector: "healthcare"}
       -> ransomwareRecent {}
       -> ransomlookRecent {}
       -> "Healthcare sector ransomware activity:
          142 victims across 12 groups in the last 12 months.
          Top groups: LockBit3 (38 victims), BlackCat/ALPHV (24),
          Cl0p (19), Royal (15).
          Most recent: MedCorp Inc. listed by LockBit3 (2 days ago).
          3 new healthcare victims in the last week across
          ransomware.live and RansomLook feeds."

Dark Web Recon

You: "Search for mentions of our company on .onion sites"

Agent: -> tor_search_onion {query: "AcmeCorp"}
       -> intelx_search {term: "acmecorp.com"}
       -> onion_lookup {address: "relevant-onion-address.onion"}
       -> "Dark web search results for AcmeCorp:
          Ahmia.fi: 3 .onion pages mention AcmeCorp
          - Forum post discussing AcmeCorp employee list (leak forum)
          - Marketplace listing for AcmeCorp database (unverified)
          - Blog post referencing AcmeCorp breach
          IntelligenceX: 12 results on paste sites
          Recommendation: investigate the forum post and marketplace
          listing for potential active data sales."

Malware Analysis

You: "Analyze this file hash for malware indicators: abc123def456..."

Agent: -> malware_search {hash: "abc123def456..."}
       -> malware_overview {sha256: "abc123def456..."}
       -> bazaarHash {hash: "abc123def456..."}
       -> threatfoxSearch {searchTerm: "abc123def456..."}
       -> otx_hash {hash: "abc123def456..."}
       -> "Malware analysis for abc123def456:
          Hybrid Analysis: MALICIOUS (threat score 95/100)
          - Family: AgentTesla (info stealer)
          - MITRE ATT&CK: T1555 (Credential Access), T1071 (C2)
          - Network IOCs: 3 C2 domains, 2 IPs
          MalwareBazaar: First seen 2024-03-15, tagged 'AgentTesla'
          ThreatFox: 2 IOC entries linking to same campaign
          OTX: Referenced in 4 threat pulses"

Tools Reference (66 tools)

Tor Network (7) — No API key (Tor daemon required for .onion tools)

Tool	Description
`tor_status`	Check if the local Tor SOCKS5 proxy daemon is running and accessible
`tor_fetch_onion`	Fetch raw HTML from a .onion URL via Tor SOCKS5 proxy (DNS leak prevention via socks5h)
`tor_scrape_onion`	Fetch and parse a .onion site — returns structured data: title, links, body text
`tor_search_onion`	Search for .onion sites using Ahmia.fi search engine
`tor_exit_nodes`	Get current Tor exit node IP addresses from the official Tor Project bulk exit list
`tor_exit_check`	Check if a specific IP address is a known Tor exit node
`tor_exit_details`	Get detailed Tor exit node information including fingerprints and publish timestamps

Ransomware Intelligence (9) — No API key

Tool	Description
`ransomwareRecent`	Fetch the most recent ransomware victims from ransomware.live
`ransomwareGroups`	List all known ransomware groups tracked by ransomware.live
`ransomwareGroup`	Get a detailed profile for a specific ransomware group by name
`ransomwareGroupVictims`	Get all victims claimed by a specific ransomware group
`ransomwareSearch`	Search ransomware victims by keyword (company name, domain, etc.)
`ransomwareByCountry`	Get ransomware victims filtered by ISO 3166-1 alpha-2 country code
`ransomwareBySector`	Get ransomware victims filtered by sector/industry (healthcare, finance, etc.)
`ransomlookGroups`	List all 582+ ransomware groups tracked by RansomLook
`ransomlookRecent`	Fetch the most recent ransomware posts and victim claims from RansomLook

Breach Intelligence — HIBP (7) — Partial: some tools free, account search requires HIBP_API_KEY

Tool	Description
`breachList`	List all known data breaches from HaveIBeenPwned, optionally filter by domain — free
`breachGet`	Get details of a specific data breach by name — free
`breachLatest`	Get the most recently added data breach — free
`breachDataClasses`	List all data classes (types of compromised data) known to HIBP — free
`breachPassword`	Check if a password has appeared in known breaches (k-anonymity, only 5-char SHA-1 prefix sent) — free
`breachSearch`	Search all breaches for a specific account (email/username) — requires `HIBP_API_KEY`
`breachPastes`	Search for an email address in publicly posted pastes — requires `HIBP_API_KEY`

abuse.ch Suite (9) — No API key (ABUSECH_AUTH_KEY optional for higher rate)

Tool	Description
`threatfoxGetIocs`	Get recent IOCs from ThreatFox reported in the last N days
`threatfoxSearch`	Search ThreatFox IOCs by IP, domain, hash, or URL
`threatfoxTag`	Search ThreatFox IOCs by tag (e.g., Cobalt Strike, Emotet)
`threatfoxMalware`	Search ThreatFox IOCs by malware family using Malpedia naming
`urlhausLookup`	Look up a URL or host in URLhaus for malware distribution
`urlhausTag`	Search URLhaus entries by tag
`bazaarHash`	Look up a malware sample in MalwareBazaar by MD5, SHA1, or SHA256 hash
`bazaarRecent`	Get the most recently submitted malware samples from MalwareBazaar
`bazaarTag`	Search MalwareBazaar by tag or YARA signature name

AlienVault OTX (5) — No API key (OTX_API_KEY optional for higher rate)

Tool	Description
`otx_ip`	Look up threat intelligence for an IP address — pulse info, reputation, country, ASN
`otx_domain`	Look up threat intelligence for a domain — pulse info, whois, reputation
`otx_hash`	Look up threat intelligence for a file hash (MD5, SHA1, SHA256)
`otx_cve`	Look up threat intelligence for a CVE — related pulses and indicators
`otx_search_pulses`	Search OTX threat pulses by keyword

AbuseIPDB (4) — Requires ABUSEIPDB_API_KEY

Tool	Description
`abuseipdb_check`	Check an IP address for abuse reports — confidence score, ISP, country, report count
`abuseipdb_reports`	Get individual abuse reports for an IP with detailed comments and categories
`abuseipdb_blacklist`	Get AbuseIPDB's blacklist of the most reported malicious IP addresses
`abuseipdb_check_block`	Check an entire CIDR network block for abuse reports

GreyNoise Community (2) — No API key

Tool	Description
`greynoise_ip`	Look up an IP on GreyNoise — classification (benign/malicious/unknown), scanner status
`greynoise_check`	Quick check: is this IP a known scanner or known benign service?

Pulsedive (3) — No API key (PULSEDIVE_API_KEY optional for higher rate)

Tool	Description
`pulsedive_indicator`	Look up an indicator (IP, domain, URL, or hash) — risk level, threats, feeds
`pulsedive_search`	Search Pulsedive indicators by value
`pulsedive_explore`	Explore linked indicators using advanced queries (related IOCs with risk levels)

Hudson Rock Stealer Logs (3) — Requires HUDSONROCK_API_KEY

Tool	Description
`stealer_domain`	Search stealer log entries by domain — compromised machines, credentials, malware details
`stealer_email`	Search stealer logs by email address — compromised machines with that email in browser credentials
`stealer_ip`	Search stealer logs by IP address — compromised machines originating from that IP

Vulners Exploits (3) — No API key (VULNERS_API_KEY optional for search)

Tool	Description
`vulners_search`	Search the Vulners vulnerability database using Lucene queries
`vulners_id`	Look up a specific vulnerability or exploit by ID (CVE, EDB, GHSA) — free
`vulners_exploit`	Search specifically for exploits (ExploitDB entries)

Blockchain Intelligence (4) — No API key

Tool	Description
`btc_address`	Look up a Bitcoin address — balance, transaction count, recent transactions
`btc_balance`	Get Bitcoin address balance in satoshi (quick check without full history)
`btc_tx`	Get detailed Bitcoin transaction information by hash — inputs, outputs, fees, block info
`btc_abuse_check`	Check a Bitcoin address for abuse reports on ChainAbuse — scam reports with categories

Hybrid Analysis Malware (3) — Requires HYBRID_API_KEY

Tool	Description
`malware_search`	Search Hybrid Analysis sandbox by file hash — verdict, AV detection rate, analysis details
`malware_overview`	Full malware analysis overview — MITRE ATT&CK techniques, network indicators, processes
`malware_feed`	Get the latest malware detonation feed — recently analyzed samples with verdicts

CIRCL Onion Lookup (1) — No API key

Tool	Description
`onion_lookup`	Look up metadata for a .onion address via CIRCL AIL project — first/last seen, status, tags, certs, ports, BTC addresses

IntelligenceX (4) — Requires INTELX_API_KEY

Tool	Description
`intelx_search`	Initiate a search on IntelligenceX for leaked data, dark web content, and more
`intelx_search_results`	Retrieve results for an IntelligenceX search by ID
`intelx_phonebook`	Phonebook search — find emails, domains, URLs associated with a term
`intelx_phonebook_results`	Retrieve phonebook search results by ID

PhishTank (1) — No API key (PHISHTANK_API_KEY optional for higher rate)

Tool	Description
`phishing_check`	Check if a URL is a known phishing site via PhishTank

Meta (1) — No API key

Tool	Description
`darknet_list_sources`	List all available data sources with configuration status, API key status, and tool counts

CLI Usage

# List all available tools
npx darknet-mcp-server --list

# Check Tor SOCKS5 proxy connectivity
npx darknet-mcp-server --check-tor

# Run any tool directly
npx darknet-mcp-server --tool breachList '{"domain":"adobe.com"}'
npx darknet-mcp-server --tool ransomwareRecent '{}'
npx darknet-mcp-server --tool tor_search_onion '{"query":"marketplace"}'
npx darknet-mcp-server --tool btc_address '{"address":"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa"}'

# Tools requiring API keys
HIBP_API_KEY=your-key npx darknet-mcp-server --tool breachSearch '{"account":"[email protected]"}'
HYBRID_API_KEY=your-key npx darknet-mcp-server --tool malware_search '{"hash":"abc123..."}'

Data Sources (16)

Source	Auth	Rate Limit	What it provides
Have I Been Pwned	`HIBP_API_KEY`	1 req/1.5s	Breach search, paste search, password check, breach listings
IntelligenceX	`INTELX_API_KEY`	1 req/s	Dark web content, leaked data search, phonebook (emails/domains/URLs)
AlienVault OTX	Optional	1 req/s	Threat intel for IPs, domains, hashes, CVEs; threat pulse search
AbuseIPDB	`ABUSEIPDB_API_KEY`	1 req/s	IP abuse reports, confidence scoring, blacklist, CIDR block check
abuse.ch (ThreatFox)	Optional	2 req/s	IOC search, malware family tracking, tag-based search
abuse.ch (URLhaus)	Optional	2 req/s	Malware distribution URL tracking, host/URL lookup
abuse.ch (MalwareBazaar)	Optional	2 req/s	Malware sample repository, hash lookup, YARA signature search
GreyNoise	None	1 req/s	IP classification (benign/malicious), internet scanner detection
Pulsedive	Optional	1 req/s	Indicator enrichment, risk scoring, linked IOC exploration
Hudson Rock Cavalier	`HUDSONROCK_API_KEY`	1 req/s	Stealer log search by domain, email, or IP
Vulners	Optional	1 req/s	Vulnerability/exploit database, CVE lookup, ExploitDB search
Blockchain.info	None	1 req/s	Bitcoin address lookup, balance, transaction details
ChainAbuse	None	1 req/s	Bitcoin address abuse/scam reports
Hybrid Analysis	`HYBRID_API_KEY`	1 req/s	Malware sandbox detonation, MITRE ATT&CK mapping, sample feed
CIRCL AIL (Onion Lookup)	None	0.5 req/s	.onion address metadata, first/last seen, associated BTC addresses
Tor Network	None	N/A	Exit node list, .onion fetching/scraping, Ahmia.fi search

Architecture

src/
  index.ts                # CLI entrypoint (--help, --list, --check-tor, stdio server)
  protocol/
    mcp-server.ts         # MCP server setup (stdio transport)
    tools.ts              # Tool registry — all 66 tools assembled here
  types/
    index.ts              # Shared types (ToolDef, ToolContext, ToolResult)
  utils/
    rate-limiter.ts       # Per-provider rate limiter
    cache.ts              # TTL cache for API responses
    tor-fetch.ts          # Tor SOCKS5 proxy HTTP client
    require-key.ts        # API key validation helper
  tor/                    # Tor Network tools (7)
  ransomware/             # Ransomware Intelligence tools (9)
  breach/                 # HIBP Breach tools (7)
  abusech/                # ThreatFox + URLhaus + MalwareBazaar tools (9)
  otx/                    # AlienVault OTX tools (5)
  abuseipdb/              # AbuseIPDB tools (4)
  greynoise/              # GreyNoise Community tools (2)
  pulsedive/              # Pulsedive tools (3)
  hudsonrock/             # Hudson Rock stealer log tools (3)
  vulners/                # Vulners exploit tools (3)
  blockchain/             # Blockchain Intelligence tools (4)
  hybrid/                 # Hybrid Analysis malware tools (3)
  onionlookup/            # CIRCL Onion Lookup tool (1)
  intelx/                 # IntelligenceX tools (4)
  phishing/               # PhishTank tool (1)
  meta/                   # Meta tools (1)

Design decisions:

16 providers, 1 server — Every data source is an independent module. The agent picks which tools to use based on the query.
Per-provider rate limiters — Each data source has its own RateLimiter instance calibrated to that API's limits. No shared bottleneck.
TTL caching — Ransomware data (15min), breach lists (10min), abuse.ch (5min) results are cached to avoid redundant API calls during multi-tool workflows.
Graceful degradation — Missing API keys don't crash the server. Tools return descriptive error messages: "Set HIBP_API_KEY to enable breach account search."
DNS leak prevention — Tor .onion tools use socks5h:// protocol to resolve DNS through Tor, preventing DNS leaks to the local resolver.
4 dependencies — @modelcontextprotocol/sdk, zod, socks-proxy-agent, and cheerio. All clearnet HTTP via native fetch. All Tor traffic via SOCKS5.

Limitations

HIBP account/paste search requires a paid API key ($3.50/month)
IntelligenceX, AbuseIPDB, Hudson Rock, and Hybrid Analysis require API keys for their tools
Tor .onion tools require a running Tor SOCKS5 proxy (not bundled)
abuse.ch free tier has lower rate limits without ABUSECH_AUTH_KEY
Ransomware.live and RansomLook data depends on upstream scraping frequency
Blockchain tools support Bitcoin only (no Ethereum/Monero)
PhishTank database can lag behind real-time phishing campaigns
macOS / Linux tested (Windows not tested)

Part of the MCP Security Suite

Project	Domain	Tools
hackbrowser-mcp	Browser-based security testing	39 tools, Firefox, injection testing
cloud-audit-mcp	Cloud security (AWS/Azure/GCP)	38 tools, 60+ checks
github-security-mcp	GitHub security posture	39 tools, 45 checks
cve-mcp	Vulnerability intelligence	23 tools, 5 sources
osint-mcp-server	OSINT & reconnaissance	37 tools, 12 sources
darknet-mcp-server	Dark web & threat intelligence	66 tools, 16 sources

For authorized security testing and assessment only.
Always ensure you have proper authorization before performing intelligence gathering on any target.

MIT License • Built with Bun + TypeScript